Office (OLE) / .TMP malware analysis — malicious · 61145242a96945f7

MALICIOUS

Office (OLE) / .TMP

116.5 KB Created: 1996-12-17 01:32:42 Authoring application: Microsoft Excel

MD5: 02cb4bf3a6b0d9140c2c10f4212dc987 SHA-1: 46b3d6f4131ff11530ff535a523dac7c3ca1bcb1 SHA-256: 61145242a96945f712fbee980a98ed737fcc5b48ef8b35a9e4ecea9ba479901d

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The critical heuristic firing indicates exploitation of CVE-2009-3129, a known vulnerability in Microsoft Excel. This vulnerability allows for arbitrary code execution when the file is opened. The presence of a CreateProcess API reference further supports this. The large slack space in the OLE structure is also indicative of a packed or obfuscated malicious payload.

Heuristics 3

CVE-2009-3129 — Excel FEATHEADER record overflow critical CVE exact CVE_2009_3129

Workbook BIFF stream contains a FEATHEADER (Feature Header) record with anomalous size (record_size=23, isf=2, cbHdrData=4294967295). Legitimate FEATHEADER records are tiny (<100 bytes) and carry cbHdrData values that fit in the record body; the value here is the documented CVE-2009-3129 exploit primitive — cbHdrData drives a memcpy with attacker-controlled size, leading to memory corruption and code execution in Excel 2007/2003.
Reference to CreateProcess API high SC_STR_CREATEPROCESS

Reference to CreateProcess API
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 119,296 bytes but its declared streams total only 24,565 bytes — 94,731 bytes (79%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.